perfsonar-user - [perfsonar-user] Re: [perf-node-users] Securing perfSONAR-PS installations
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Jason Zurawski <>
- To: Roderick Mooi <>, perf-node-users <>, perfsonar-ps-users <>, perfsonar-user <>
- Subject: [perfsonar-user] Re: [perf-node-users] Securing perfSONAR-PS installations
- Date: Thu, 27 Jun 2013 09:32:16 -0400
- Authentication-results: sfpop-ironport03.merit.edu; dkim=pass (signature verified)
Hey Roderick;
As an FYI the LHCOPN document was produced by external parties, but the
suggestions are sound depending on the policy set forth by the operating
institution. Note the date is about 2 years ago, so some of the items they
are working around could have been addressed in subsequent releases.
Earlier this year we published some information on ways to allow the toolkit
to work better with firewalls:
http://psps.perfsonar.net/toolkit/firewalls.html
Coupled with this, the latest release has a stub iptables file that can be
used to implement host based filtering if that is so desired.
One thing that I think we discussed (not sure if it was implemented) was
putting in some SSH protections like these:
http://codeghar.wordpress.com/2010/04/25/secure-your-ssh/. Many people
already implement the throttling suggestions, and that meets the checkbox for
security on that service in many cases. It may also make sense to disallow
root logins, or empty passwords (once the machine is setup). Those are a
little harder for us to do by default, but certainly could work well.
As a part of a broader campus/network security plan, its always a good idea
to consider the use of systems that watch for strange behavior (tripwire,
bro), and lots of sites do this already.
Trying to integrate federated login techniques to the performance node has
been shown to work, I know some locations have installed the kerberos from
the CentoOS repos, and configured it as they would any other system.
Lastly, if sites are using a non-pemanent install (like a live CD), they
often can get away with calling this an 'appliance', and thus a reboot can be
used to clean out the system in the event that something bad does happen.
In general, our stance remains that to get accurate measurements of the
network, the performance node should be free of infrastructure that will
limit performance. There is value in seeing 'what the users see' however, so
users have to have their connectivity dragged through devices that limit
performance, the performance node should do so as well.
Hope this helps;
-jason
On Jun 27, 2013, at 7:53 AM, Roderick Mooi wrote:
> Hi everyone,
>
> What advice/recommendations are available for securing perfSONAR servers
> and/or the toolkit itself?
>
> I've previously used this guide:
> https://twiki.cern.ch/twiki/pub/LHCOPN/PerfsonarPS/perfSONAR-PS_Security_Guidelines.pdf
>
>
> Are there any updates or other resources or recommendations particularly
> for v3.3?
>
> Thanks very much!
>
> Regards,
>
> Roderick
>
>
> --
> This message is subject to the CSIR's copyright terms and conditions,
> e-mail legal notice, and implemented Open Document Format (ODF) standard.
> The full disclaimer details can be found at
> http://www.csir.co.za/disclaimer.html.
>
> This message has been scanned for viruses and dangerous content by
> MailScanner,
> and is believed to be clean.
>
> Please consider the environment before printing this email.
- [perfsonar-user] Securing perfSONAR-PS installations, Roderick Mooi, 06/27/2013
- [perfsonar-user] Re: [perf-node-users] Securing perfSONAR-PS installations, Jason Zurawski, 06/27/2013
- [perfsonar-user] Re: [perf-node-users] Securing perfSONAR-PS installations, Brian Tierney, 06/27/2013
- [perfsonar-user] Re: [perf-node-users] Securing perfSONAR-PS installations, Jason Zurawski, 06/27/2013
Archive powered by MHonArc 2.6.16.